HIPAA is a US law intended to secure protected healthcare information (PHI) from fraud and theft. It provides guidelines and regulations across a number of entities that handle PHI as part of normal business. Any entity or organization that is entrusted with PHI must abide by HIPAA. This occasionally includes ways in which digital marketing might be considered PHI. This article will cover information that you might need to know to ensure your marketing is HIPAA-compliant. Continue reading for more.
Disclaimer: This article is intended as a reference resource only, and is not legal advice. As with all legal matters, consult an attorney if you have questions about HIPAA compliance at your organization.
Quick Start Guide
Use these steps to help narrow down your organization's need for HIPAA compliance, then continue reading below for more information.
- Determine if your organization is a covered entity under HIPAA.
- Find out if and where your organization may be handling PHI.
- Ensure that your Feathr Super Pixel, GTM, or any other tracking pixel you may be using is installed in any location where PHI is handled, or where users log in.
- Do not target any audience based on information known about their health, whether that information was gathered through PHI or not.
- Do not use language specific to health conditions, treatment options, or health-based demographic information in your ad copy.
Contents
- Why is this topic relevant?
- What is HIPAA?
- Am I a covered entity under HIPAA?
- What is PHI?
- How do I ensure I'm compliant?
- Examples of Retargeting Campaigns
- Best Practices
Why is this Topic Relevant?
In March 2024, the HHS's Office of Civil Rights updated their guidance on the use of online tracking technologies with the goal of clarifying the information available to HIPAA covered entities and their business associates. As a result, the topic of HIPAA compliance in digital marketing was back on the minds of marketers at many healthcare or healthcare-adjacent organizations.
Because Feathr works with covered entities and their business associates using online tracking technologies, many of our customers have sought our guidance on this topic and reassurance that their digital marketing efforts are HIPAA compliant.
The HHS guidance clarified that it is the combination of both individually identifiable health information and tracked website activity related to that individual’s specific past, present, or future health, health care, or payment for health care that is subject to HIPAA Rules. Tracking on most pages that do not require a login do not have access to individuals’ PHI, and are therefore not regulated by the HIPAA Rules. Feathr does not track IP addresses by default, and Feathr customers have control of what (if any) personal identifiers are collected on their site(s).
Retargeting messaging can still spread awareness of the organization’s mission without appealing to individuals’ specific health care, or targeting the treatment of specific conditions.
What is HIPAA?
HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a US law enacted to create confidentiality systems within and beyond healthcare facilities, with the goal of keeping protected health information (PHI) private. HIPAA establishes standards for the electronic exchange, privacy, and security of this information, and grants individuals certain rights over their own PHI.
Importantly, HIPAA applies to healthcare providers, health plans, healthcare clearinghouses, and their business associates. If you are working in or near the healthcare industry, it is possible that HIPAA applies to your organization. If so, HIPAA compliance is essential in your marketing practices.
Am I a Covered Entity under HIPAA?
HIPAA, and any enforcement of HIPAA regulations, does not apply to everyone in the US like most laws. It applies to what is known as covered entities.
HIPAA covered entities include health plans, clearinghouses, certain health care providers, and their business associates.
If you are uncertain whether your organization is a covered entity under HIPAA, this free tool [PDF] from the US Center for Medicare and Medicaid Services is an excellent resource.
Feathr does not sign business associate agreements (BAAs) with its customers. BAAs are contracts allowing third parties access to PHI and are required under HIPAA. That means Feathr customers are not legally allowed to share PHI with Feathr.
What is PHI?
According to HHS, PHI is information, including demographic data, that relates to:
- an individual's past, present, or future physical or mental health condition
- the provision of health care to an individual
- the past, present, or future payment for the provision of health care to an individual and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify an individual.
Feathr customers working with health data should avoid tracking any data that may fall under these categories, and take special care not to place the pixel on/across patient portal login or registration pages. In addition, the collection of any private medical information is also prohibited by Feathr as is stated in our Terms, and can result in the termination of your contract or account.
How do I ensure I'm compliant?
The key to HIPAA compliance in targeted marketing is to not track PHI, and not build target audiences using any information that could even be related to PHI. Do not place any tracking pixels on patient portals or anywhere a patient can log in to view health information. Additionally do not place tracking on pages that don't require a login, but that nevertheless may gather health information. Even a webpage containing information about treatment options for a specific condition would suggest that the people browsing it may have that condition.
Retargeting campaigns by covered entities must be careful not to use PHI when creating targeted audiences, and must also be careful not to display messages that imply knowledge of the audience's health information.
Examples of Retargeting Campaigns
For example, a dialysis clinic should not target visitors to its website promoting a specific new treatment option.
The same clinic could be HIPAA compliant by running a retargeting campaign with a broad message simply promoting the existence of the clinic, but only if it targets visitors to pages on its website that do not handle PHI or even specific treatment options. For example, the broad messaging of the campaign creatives might be HIPAA-compliant, but if it targeted visitors to pages about scheduling appointments, seeking treatment, or other indicators of health status, then the campaign itself may not be HIPAA-compliant.
As a covered entity, it is your responsibility to keep your targeted advertising messages as broad as possible, and your targeted audiences not based on anything that could be considered health information.
Best practices
There are several steps you can take to protect the privacy of your audience while running Feathr campaigns.
-
Don’t place the Feathr pixel on web pages that require patients to log in to access health information.
-
Don’t collect any custom data that includes individually identifiable health information.
-
Don’t design ad creatives targeting PHI, like specific conditions or treatments.
-
Do follow HHS guidance to provide a privacy practices notice.
-
Do promote your organization and services through general awareness campaigns.
-
Do engage your donors with fundraising appeals and track conversions related to fundraising activity.
- Do consult with your organization's legal counsel if you are unsure about whether your marketing activity runs up against PHI.